FileMaker Cloud on EC2 - Is the *.filemaker-cloud.com domain required?

I'll open with my question: All of the documentation that I've found for FileMaker Cloud indicates that at the end of the configuration you choose a 'hostname' that appears to become the server 'Name' in a lot of places as well as registering the FQDN '<yourhostname>.fmi.filemaker-cloud.com'. What I can't find is any documentation that indicates the latter FQDN is optional. We already have a domain name and are going to DNS alias our own subdomain to the Cloud instance for us to use. Is there something about FileMaker app distribution that I'm not aware of that depends on the filemaker-cloud.com domain? Can we not use our own domain? Can we avoid the filemaker-cloud.com domain at all? I'd prefer to keep our server out of any 3rd party resources since the software is installed entirely on AWS instances in our own account. It makes me a bit nervous that the Cloud software is registering a domain entry in some other network... what else is it connecting to?

Some background/context to help answer so you know where I'm coming from: I'm helping my wife set up this FileMaker Cloud instance for her office. It's a small business, they bought a 10 user license for FileMaker Server. None of them are tech professionals, it isn't a tech company (it's real estate), but a few of them started building an app to share information relevant to their business. Due to a number of reasons the local Windows Server they had it running on wasn't going to work and are now migrating the Server license to AWS for FileMaker Cloud using the BYOL marketplace option. (It wasn't a problem with FileMaker, it was the server itself and their useless IT company... long story). I'm a software engineer with plenty of experience developing cloud services and all aspects of AWS, so I'm more than familiar with the AWS setup. However, I'm not familiar with FileMaker, specifically, so the nuances of the configuration and how it's used are still new to me. I've been approaching this like the FileMaker Cloud setup is a black-box: It's "just" a server application that needs to run on an EC2 instance and I can configure everything else to get it hosted and internet accessible behind a domain, and let them configure it like they did FileMaker Server once it's up and running. But since Cloud has some level of self-management built into it I'm discovering some of these quirks that I wasn't expecting. The filemaker-cloud.com subdomain registration struck me as odd and concerned me enough to want an answer, and the fact that I couldn't find one documented made me more concerned!

-- John FX

P.S. - As a side note, I'd never heard of FileMaker before, but I'm really impressed with it. The fact that some people with zero programming experience at my wife's office were able to put together a somewhat complex application is amazing. I love the abstractions that FM provides. The whole Table vs Table Occurrence seems to be a big source of confusion, it took me a bit to figure out that the TO graphs are basically just visual SQL queries that are made to look like an ER schema diagram for the DB itself. A lot of posts on this community and around google seem to echo that confusion as well. But apart from that everything else in FM seems to be straight forward and intuitive and does a great job of abstracting core concepts of software architecture so that you don't even need to think about it. :thumbsup:

Yeah, that's the bit that I'm trying to figure out. The FM docs on their website make it seem like FM Cloud is the same as Server but just packaged up to deploy to an AWS EC2 instance for you via the marketplace, but I'm starting to think that is not true. It's almost like they wanted FMC to be a truly abstracted 'cloud' service where you didn't need to use AWS at all, you instead got a server hosted by FileMaker (xxx.fmi.filemaker-cloud.com) and paid the monthly bill to them, but then they changed their mind at the last minute and instead let people install it on their own AWS account... but the software is still built as though it wants to be the former cloud platform, as though the client licensing the server wouldn't actually have root access to the server instance or have network control over it's internet routable address.

Is there some documentation that I'm missing that explains the functional difference between FMS and FMC? If I have an FMC instance running side-by-side with an FMS instance deployed to EC2, are they functionally different or ultimately the same FM software? I understand server management is different between the two approaches, but I'd expect the FM server software to be similar once it's running, right?

I had seen that doc, but the very first sentence leads back to my question:

FileMaker Cloud comes with a trial SSL certificate and "fmi.filemaker-cloud.com" domain that is good for the 1st 90 days. To continue using FileMaker Cloud beyond the trial period, you must purchase a different custom domain name and SSL certificate.

Is there any way to complete the FileMaker Cloud setup without the included SSL certificate and "filemaker-cloud.com" domain? I want to end up with FileMaker just running on an ec2 instance that only my company knows about, since its in my AWS account, and I can set up the domains and SSL certs later. It bugs me that the cloud setup registers itself with FileMaker's global domain of all FileMaker servers.

The initial registration/announce aside, is there any way to *unregister* that domain? I don't want any 'xxx.fmi.filemaker-cloud.com' domain to point to my server at all. That's what I'm asking.

I had seen that doc, but the very first sentence leads back to my question:

FileMaker Cloud comes with a trial SSL certificate and "fmi.filemaker-cloud.com" domain that is good for the 1st 90 days. To continue using FileMaker Cloud beyond the trial period, you must purchase a different custom domain name and SSL certificate.

Is there any way to complete the FileMaker Cloud setup without the included SSL certificate and "filemaker-cloud.com" domain?

During the initial setup? No. But once you have the instance set up and running you can import your own SSL cert and set up DNS with your own own FQDN to point to the instance.

The initial registration/announce aside, is there any way to *unregister* that domain? I don't want any 'xxx.fmi.filemaker-cloud.com' domain to point to my server at all. That's what I'm asking.

Ahh, no, you can't unregister the xxx.fmi.filemaker-cloud.com name for your FileMaker Cloud instance. There will actually be two of those names pointed at your instance (for example, "fc-224-170-33-1475102152.fmi.fiemaker-cloud.com" and "myInstance.fmi.filemaker-cloud.com"). You can't remove those, but you don't need to use them. We never give those names to users and we never use them past the initial setup process. BTW, your instance will also have a *.*.amazonaws.com name pointed at it. You can't remove that or the AWS-assigned public IP address either.

If you're concerned about someone stumbling across your server's name, I'd suggest making your initial name complex. That will make it more obscure, but no more secure. If you want to prevent anyone outside your organization from seeing your FileMaker Cloud instance, consider setting up a VPN and/or inbound security rules that restrict access to the specific IP addresses of the users within the organization.

If you want to prevent anyone outside your organization from seeing your FileMaker Cloud instance, consider setting up a VPN and/or inbound security rules that restrict access to the specific IP addresses of the users within the organization.

Agreed. AWS offers all the tools to make make access to your instances as secure as you need them to be.

If you want to prevent anyone outside your organization from seeing your FileMaker Cloud instance, consider setting up a VPN and/or inbound security rules that restrict access to the specific IP addresses of the users within the organization.

Agreed. AWS offers all the tools to make make access to your instances as secure as you need them to be.

Right, like I said I'm very familiar with AWS. That's why I was surprised about the filemaker-cloud.com domain, since I wasn't even expecting to have that happen at all. I just expected to have a standard EC2 instance with the delightfully obscure amazonaws.com hostname and then I'd go set up my own DNS routing and SSL certificate. I'm not really concerned about the security of my instance, I was mostly concerned about what kind of behavior the filemaker-cloud.com domain was providing. Particularly whether there was any extra functionality in FMC that isn't present in FMS that depends on "phoning home" to the mothership at filemaker-cloud.com. If I cut off and FMC instance behind a VPC with peering to our corporate network so that filemaker-cloud.com can't talk to it, will the FM instance still function or will it start erroring because it cant talk to the FMC domain? The fact that it is always registered and not optional usually means something about the software requires it, otherwise it would be clearly documented as an opt-in convenience option for people who don't have their own domain. E.g. "If you would like a filemaker-cloud.com domain, check this box, otherwise set up your private domain and SSL certificate using these instructions <link>"

Since the fmi.filemaker-cloud.com domain is always registered and it can't be unregistered, that basically means FileMaker ends up with a domain registry of every single FMC instance ever deployed from the AWS marketplace. That seems risky for a number of reasons, particularly for customers that don't adequately secure their instances.

So you have your own SSL and DNS, that is fine. The trick is where to point the DNS, right?

FileMaker Cloud does not use an Elastic IP, so is subject to change, and not static. During part of the maintenance routines that FM Cloud performs, it can build a new instance, attach the data volume to the new instance and terminate the old one, so the IP is going to change eventually.

I am fairly certain that when a FM Cloud instance starts up, it "phones home" with its current IP address, and the scripting updates the IP in Route53 that FMI manages, so there is nothing you can do there.

You need to set up your DNS record as a CNAME to the FileMaker provided name. That way it keeps up to date.